WordPress.DB.PreparedSQL.NotPrepared
SQL query is not prepared
A database query includes dynamic data without using `$wpdb->prepare()` or an equivalent safe pattern.
Why It Shows Up
The scan found a SQL string passed to `$wpdb` where variables appear to be interpolated or concatenated directly.
Why It Matters
Unprepared SQL can allow SQL injection when user-controlled values reach the query.
How to Fix
- Move dynamic values into placeholders such as `%s`, `%d`, `%f`, or `%i` where supported.
- Pass the values as separate arguments to `$wpdb->prepare()`.
- For table names, column names, and sort directions, use strict allowlists instead of raw user input.
References
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1001 | Portfolio, Gallery, Product Catalog – Grid KIT Portfolio | 31 | 61 | 329 | 6k+ | Non-prefixed global variable | ||
| #1002 | Active Products Tables for WooCommerce. Use constructor to create tables | 31 | 364 | 424 | 1k+ | Output is not escaped | ||
| #1003 | Push notification for Mobile and Web app | 31 | 87 | 83 | 400 | Non Singular String Literal Domain | ||
| #1004 | Raffle Play Woocommerce | 31 | 151 | 199 | 800 | Output is not escaped | ||
| #1005 | Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | 31 | 45 | 373 | 4m+ | Non-prefixed global variable | ||
| #1006 | Social Share Buttons | 31 | 462 | 156 | 1k+ | Text Domain Mismatch | ||
| #1007 | Page Builder by SiteOrigin | 31 | 226 | 214 | 400k+ | Output is not escaped | ||
| #1008 | Slider Carousel – Image Slider | 31 | 224 | 1,233 | 3k+ | Request data is not unslashed | ||
| #1009 | Smart Keywords Tool – 智能关键词插件 | 31 | 361 | 33 | 600 | Non Singular String Literal Domain | ||
| #1010 | Staatic – Static Site Generator for WordPress | 31 | 420 | 195 | 2k+ | SQL query is not prepared | ||
| #1011 | WP Testimonials | 31 | 183 | 455 | 10k+ | Non-prefixed global variable | ||
| #1012 | Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification | 31 | 284 | 830 | 2k+ | Missing nonce verification | ||
| #1013 | Web Push Notifications – Webpushr | 31 | 169 | 293 | 10k+ | Output is not escaped | ||
| #1014 | WooCommerce Legacy REST API | 31 | 324 | 177 | 400k+ | Missing Translators Comment | ||
| #1015 | Tooltips for WordPress | 31 | 312 | 252 | 5k+ | Output is not escaped | ||
| #1016 | WPGatsby | 31 | 125 | 55 | 3k+ | Text Domain Mismatch | ||
| #1017 | WP Visitor Statistics (Real Time Traffic) | 31 | 353 | 691 | 20k+ | Nonce verification recommended | ||
| #1018 | WP ULike – Like & Dislike Buttons for Engagement and Feedback | 31 | 269 | 358 | 60k+ | Output is not escaped | ||
| #1019 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #1020 | Hosting Benchmark tool | 31 | 202 | 115 | 4k+ | rand rand | ||
| #1021 | One to one user Chat by WPGuppy | 31 | 74 | 187 | 700 | Non-prefixed global variable | ||
| #1022 | WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite | 31 | 133 | 438 | 600 | Non-prefixed global variable | ||
| #1023 | ActiveDEMAND | 32 | 157 | 161 | 1k+ | Output is not escaped | ||
| #1024 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #1025 | AI Alt Text Generator | 32 | 76 | 24 | 1k+ | Missing Translators Comment | ||
| #1026 | annasta Filters for WooCommerce | 32 | 1,073 | 441 | 2k+ | Text Domain Mismatch | ||
| #1027 | APCu Manager | 32 | 151 | 126 | 10k+ | Output is not escaped | ||
| #1028 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #1029 | Auto YouTube Importer | 32 | 338 | 173 | 1k+ | Text Domain Mismatch | ||
| #1030 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1031 | Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler | 32 | 147 | 319 | 400 | Direct Query | ||
| #1032 | Code Manager | 32 | 217 | 261 | 500 | Nonce verification recommended | ||
| #1033 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #1034 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #1035 | Fable Extra | 32 | 79 | 282 | 4k+ | Non-prefixed global variable | ||
| #1036 | FA Lite – WP responsive slider plugin | 32 | 726 | 140 | 500 | Unsafe printing function | ||
| #1037 | Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages | 32 | 53 | 773 | 9k+ | Nonce verification recommended | ||
| #1038 | WP Gravity Forms HubSpot | 32 | 771 | 160 | 600 | Text Domain Mismatch | ||
| #1039 | CRM Perks Integration for Gravity Forms and Salesforce | 32 | 807 | 178 | 1k+ | Text Domain Mismatch | ||
| #1040 | WP Gravity Forms Zoho CRM and Bigin | 32 | 750 | 174 | 400 | Text Domain Mismatch | ||
| #1041 | GlotPress | 32 | 403 | 103 | 500 | Unsafe printing function | ||
| #1042 | GraphComment Comment system | 32 | 217 | 225 | 400 | Unsafe printing function | ||
| #1043 | GSheetConnector For WPForms – WPForms Google Sheets Integration (Real-Time Sync) | 32 | 120 | 145 | 8k+ | Non-prefixed global variable | ||
| #1044 | Gwolle Guestbook | 32 | 269 | 527 | 20k+ | Output is not escaped | ||
| #1045 | Honeypot Toolkit | 32 | 155 | 770 | 400 | Missing nonce verification | ||
| #1046 | HTML5 jQuery Audio Player | 32 | 251 | 153 | 1k+ | Unsafe printing function | ||
| #1047 | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | 32 | 396 | 142 | 20k+ | Output is not escaped | ||
| #1048 | Manager for IcoMoon | 32 | 270 | 68 | 400 | Short PHP open tag found | ||
| #1049 | MapPress Maps for WordPress | 32 | 695 | 133 | 30k+ | Missing Arg Domain | ||
| #1050 | Organization chart | 32 | 187 | 334 | 5k+ | SQL query is not prepared |